How to configure trusted CA certificates for SSL client?

[MeV]

On Tuesday, February 7, 2017 at 9:42:54 AM UTC-8, Yang, Gang CTR (US) wrote:

> My question is where does SSL client code get the trusted CA certificates from, from Python or the underlying OS? What configuration do I need in order for the SSL client to conduct the SSL handshake successfully?
> 

When I setup TLS for a K/V pair database with self-signed certs, I could supply two types of certs

-peer certs with the IP and DNS name tied to the node signed by the self-signed CA I generated
-client cert that had the IP and DNS for ALL the machines in the cluster signed by the CA

To connect to the any of the clients, I had to provide the client cert, key, and the CA.  That's just the way the software built.

For browsers, each browser has a CA from various authorities and you add an intermediate key signed by one of those authorities (e.g. Verisign which costs $2000) to the browser to allow you to access a specific domain through a wildcard cert.  My K/V software didn't support that.

Look at how CentOS 6 stores it's certs in /etc/pki.  I think where you'd put your CA + client key bundle.  Which means you have to do this for all machines that run your code.  That's not optimal or at all portable.  You'll probably have to deliver the app as a VM or a docker container to put it all together.

Good luck.